Prevention is better than cure – not always, NotPetya

By Robin Gaddum

Cybersecurity is big business. Organisations are more aware of the need to defend against cyber attacks than ever before. Investment in this area is increasing by the day. And rightly so.

But what happens when an attack gets through? Because some of them will. Even with the very latest defences in place, it’s inevitable. The level of sophistication demonstrated by NotPetya – and its devastating impact – is just one case in point.

Not enough attention is being paid to truly holistic cyber resiliency. Specifically, to recovery. And that’s essential in today’s always-on, rapidly-evolving tech landscape. Some attacks will succeed – and you need to know how to recover as quickly as possible. There is no time for downtime.

High-profile, highly complex cyber attacks like NotPetya have taught us about the need to pay just as much attention to an organisation’s recovery capabilities as we do to the more “traditional” cybersecurity function. Currently, most firms are simply not prepared – and CIOs need to be asking some important questions to tackle the issue.

Four key lessons

1. Cyber resiliency is a team sport

Cyber threats are already cited as a top-ten risk by many businesses who are spending big sums on “frontline” security. It’s a high-profile topic. But security functions are not typically responsible for recovery. IT Disaster Recovery (DR) teams tend to focus on mitigating traditional risks, which don’t include recovery from sophisticated cyber attacks. There is an organisational “gap” between security and DR, which means typical DR strategies and architecture are no longer fit for purpose. It’s crucial to invest in the recovery element of your cyber resiliency framework, as part of a fully integrated, holistic solution.

CIO question: Is your risk management approach joined up?

2. Specific DR vulnerabilities must be addressed

Cold site disaster recovery is outdated. DR sites are typically connected to the wide area network (WAN), so data is constantly being replicated, making modern DR vulnerable to cyber attack. Strategies that depend on  backup tapes held in secure offsite storage may offer air-gap insulation from cyber attack but they cannot deliver the rapid recovery times demanded in today’s always-on world. DR solutions are mostly designed with little or no consideration for their ability to withstand a cyber attack, in spite of the attractiveness of backup servers as deliberate targets of attack, given their access to all essential systems and data. This means unarticulated DR planning assumptions are made, there is no viable intermediate data recovery position for Tier 1 services between data replication and tape backups, and there is no contingency plan to reinstate DR capability should an attack bring it down.

CIO question: What’s the backup for the backup?

3. Face the scale of the challenge

It’s not enough to have DR capabilities for a single data centre loss that only focuses on your most critical IT services. Unlike industrial accidents or natural catastrophes, a cyber attack is not physically constrained.  It can spread everywhere and affect everything, which can mean tens of thousands of users in multiple locations. Typical DR tests don’t cover cyber attack scenarios, and robust DR automation and orchestration is lacking. Recovery can take weeks or months, with further health checks and assurance audits required – particularly when masses of “minimum viable product” recoveries go undocumented.

CIO question: Can you recover everything, everywhere, all at once?

4. Look out for Industry 4.0, operational technology, shadow IT and supply chain risk

NotPetya attacked via a trusted supplier’s DevOps environment. How many CIOs knew (or cared) that their Ukrainian entity’s Finance Department was using Ukraine’s most popular accounting software package? The Internet of Things and operational technology are at the heart of many of today’s greatest cybersecurity challenges. WannaCry, for example, had a huge impact on the UK’s National Health Service via its imaging and analysis equipment. Then think about university research facilities and their building management systems – what if their networked incubators, fridges and freezers were all turned off…? Understanding – and preparing for – the possible extent of the fallout from a cyber attack is essential to successful recovery, should the worst happen.

CIO question: How big is the problem?

Unnatural disaster recovery

Freak snowstorms, fires, floods, utility failures and man-made accidents are the more traditional focus of disaster recovery efforts. Organisations are largely well-equipped to deal with “natural” crises like this – but the risks presented by cyber attacks need to be taken just as seriously. They should be factored into business continuity activities and specific DR testing scenarios. Ultimately, organisations must take a fully integrated, holistic approach if they are to stay abreast of the rapidly evolving threats presented by cyber attacks – and be ready to recover.

Talk to an IBM expert advisor

If you’d like to discuss your cyber resiliency capabilities and the importance of integrated disaster recovery, please get in touch to arrange a personal consultation with one of our experts.